CN1262095C - Communications system - Google Patents
Communications system Download PDFInfo
- Publication number
- CN1262095C CN1262095C CN01817225.3A CN01817225A CN1262095C CN 1262095 C CN1262095 C CN 1262095C CN 01817225 A CN01817225 A CN 01817225A CN 1262095 C CN1262095 C CN 1262095C
- Authority
- CN
- China
- Prior art keywords
- external server
- client interface
- local terminal
- network
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2517—Translation of Internet protocol [IP] addresses using port numbers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
- H04L61/2535—Multiple local networks, e.g. resolving potential IP address conflicts
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2564—NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1043—Gateway controllers, e.g. media gateway control protocol [MGCP] controllers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
- H04L65/1106—Call signalling protocols; H.323 and related
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
Abstract
The present invention relates to a communications system 1 for handling communications sessions, for example multimedia calls or voice calls. The communications system comprises a local terminal 10, an external server 40, a proxy interface agent 11 between the terminal 10 and a shared network 20. The communication means includes a NAT function 32 through which the communications session must pass. The communications session is carried over the network over one or more logical channels between the terminal 10 and the external server 40, during which the first NAT function 32 applies network address mappings on the terminal's transport addresses 14. The proxy interface agent 11 acts on behalf of the terminal in communications with the external server and establishes a logical channel on an outbound connection to the server that serves as a control channel between the proxy interface agent and the server. The proxy interface agent establishes dynamic outbound connections to the server, and in response to a request from the server, makes one or more associations between the terminal's transport address(es) and identifiable logical channel(s) between the proxy interface agent and the server. These identifiable logical channel(s) are established on one or more of the dynamic outbound connections from the proxy interface agent to the server.
Description
Technical field
The present invention relates to a kind of communication system of handle communication sessions, for example handle the communication system of multimedia call or audio call.
Background technology
The application proposes a kind of invention, and the end points (using such as H.323, the real-time protocol (RTP) of SIP or MGCP) that allows to be arranged in different safety and special I P data network can intercom mutually and can not damage the data confidentiality and the data security of each dedicated network.The method and apparatus that the present invention relates to have with existing safety function for example fire compartment wall etc. and with fire compartment wall, router and acting server in NAPT (network address port conversion) the cooperative advantage of function that may exist.Benefit of the present invention be to save these equipment of upgrading be complete agreement (for example H.323) that comply with expense additional agreement vigilance (protocolaware) (for example H.323) equipment of configuration.The invention that provides in this application is applicable to those configurations that can use simply (1 couple 1) NAT (network address translation) mapping at the edge of dedicated network, and/or the configuration of the edge application NAPT that is applicable at dedicated network (network address and port translation).These 2 kinds of configurations can coexist, and equipment can allow to communicate by letter between the dedicated network of following a kind of configuration and the dedicated network of following another kind of configuration.In single dedicated network, some terminals can be used a kind of configuration (for example dedicated chamber system) similarly, and other terminal can be used second kind of configuration (for example desk-top client's personal computer).Notice that the NAT among the Ben Wenben is meant all types of network address translation.
The present invention who provides among the application with reference to International Telecommunication Association (ITU) H.323 standard describe because it is the main standard that is used for real-time multimedia communication on the packet network of IP network comprising.Yet the present invention is applicable to too and need dynamically distributes port to transmit other standards or the method for bidirectional information (for example IETF session initiation protocol (SIP)).Main benefit of the present invention is that dedicated network infrastructure (fire compartment wall and router) does not need to know the agreement that is used for real time communication, and the method for advancing and go out the tunnel real time business of dedicated network also can be that agreement is unknowable.This make enterprise can be under the situation of not considering agreement configuration device.Say nothing of for safety or some equipment of other reasons " agreement " check can be provided.
Fast-developing IP (Internet protocol) data network is being that multimedia and voice communications services provider create new chance and challenge.Responsible Telecom Facilities and telecommunications company of future generation and service provider are just carrying out unprecedented investment in the data network trunk.Simultaneously, the broadband access technology such as DSL and cable modem is that customer group has brought internet at a high speed to insert widely.Service provider's eyesight is to use the IP data network to transmit new voice, video and data service in the desktop, office and the family that insert along internet at a high speed.
H.323 standard is useful in based on the multimedia communication on the packet network, but does not guarantee quality of service.Independently basic transmission network and agreement have been designed.The IP data network is acquiescence and ubiquitous Packet Based Network now, and it all is to carry out in the IP data network that major part H.323 (if not all) is implemented.Be used for other agreement of (voice and video) communication in real time, for example SIP and MGCP also use the IP data network to carry out the transmission of call signaling and medium.Also the expectation exploitation transmits the New Deal of relevant new application with real-time voice and video in the IP data network.The method that the present invention proposes also is applicable to them, and is applicable to other agreement of the multiple service traffics of individual session requirement.
If the terminal from different manufacturers can be operated in intercommunication, the importance that is used for the standard of wide model communication so is the basis.In the multimedia field, in the Packet Based Network (for example IP data network) the current standard of real time communication be itu standard H.323.H.323 be ripe relatively at present standard, obtain comprising support such as the multimedia communication industry of Microsoft, CISCO and INTEL Corp..For example, the personal computer of estimation 75% has been installed NetMeeting (trade mark) program of Microsoft.NetMeeting be used for that multimedia (voice, video and data) communicates by letter H.323 comply with software application.Also realized at present from the intercommunication operability between the equipment of different manufacturers.The company that surpasses 120 global ranges has participated in the up-to-date intercommunication operability activity of being sponsored by international multimedia telecommunications federation (IMTC), and international multimedia telecommunications federation is the independent agency that promotes the intercommunication operability of multimedia telecom equipment.This activity is regular activity, allows the problem of manufacturer's check and solution interoperability.
So far, there are a lot of obstacles obtaining multimedia (particularly video) communication aspects in a large number.Use easily, quality, expense and communication bandwidth are all hindering the growth in market.In the technological progress of video coding, ubiquitous cheap IP inserts and the current investment combination in data network has been alleviated most of problem with the release of the DSL of ISDN and cable modem, thereby makes multimedia communication easily obtain using.
Owing to H.323 be defined as standard, suppose there is H.323-H.320 gateway that they are positioned at and will H.323 be converted to the edge of network domains H.320, are implemented in the transmission on the wide area between the private network.Therefore, the enforcement H.323 by IP concentrates on the communication in the single network.
Yet it is favourable that IP continues to find as wide area protocol.Increasing tissue continues their total data network is based upon on the IP.The access, the Intranet of management, the VPN(Virtual Private Network) that are based upon the high-speed Internet on the IP basis are general.The trend of IP is to reduce the situation that H.320 becomes multi-media protocol.The demand in market is H.323 to replace H.320 with IP-based fully.But perhaps passing through WAN (wide area network) is voice by the staple market actuating force that IP transmits real time communication.Employing such as H.323 with the standard of SIP, the user has brought into use their computer that the internet is used for cheap audio call.This indicates the beginning of IP-based brand-new voice (VoIP) industry, and this industry is just seeking to comprise Ethernet Phone, IP PBX, and all of soft handover and IP/PSTN gateway are connected the development of the new VoIP product of transmission VoIP seamless between enterprise and the user.H.323, SIP and MGCP expect to become the leading standard here.
Unfortunately, still exist for real world, H.323 with the unforeseen technology barrier of the wide area of SIP configuration.These technology barriers relate to the communications infrastructure on IP data network border.
Therefore, multimedia or Vo IP successful communication implement all to be limited in Intranet or dedicated management IP network at present.
Because two kinds of IP technology-network address translation (nat)s and fire compartment wall cause a lot of problems.Fail safe also is a problem when considering to address these problems.The configuration of the real time communication on data network is by shared network (for example public the Internet), and enterprise must guarantee not take place to damage their Information Security.Open anyone (voice communication generally includes everyone) that communicates to enterprise's expectation of the external world of the current solution request enterprise of these problems or outside ip address.The invention that this paper proposes does not suffer this defective, and the service provider knows because enterprise's outside ip address only needs ' trusty ', and Here it is, and why public the Internet develops on a large scale.
Introduced the problem that NAT solves ' address shortage '.Any end points in the IP network or " main frame " all have " the IP address " of that end points of identification, so that packet can correctly send or be routed to this end points and the grouping that receives from this end points can be identified from their originating location.When limiting IP address field, nobody can predict the dramatic growth of bench device.After the development of global ip for many years, just recognize and want to use the end points quantity of IP protocol communication will be above the quantity of the unique ip address that may derive from address field.In order to increase address field and to make the more address can be with requiring the entire I P infrastructure of upgrading.(industrial just the plan adopts IPv6 to handle these problems at some points).
Present solution is called NAT.First NAT solution is called simple NAT among the IETF RFC1631, it uses man-to-man mapping, result from before the World Wide Web (WWW) occurs, only need proceed to the communication of mechanism outside at that time in-house several main frames (for example e-mail server, file delivery service device).NAT allows enterprise to set up private IP network, and each end points in this IP network in that enterprise only has the unique address of this enterprises, but is not globally unique address.These addresses are private ip address.This just makes in-house each main frame and this in-house any other main-machine communication (for example address).For the communication of outside, need a public or globally unique IP address.At the edge of private IP network network is the equipment with nat feature, and it is responsible for the mutual conversion of public ip address and private ip address.Enterprise will have the one or more public addresses that belong to this enterprise exclusively, but need be less than the public address of host number usually, this or because only need several main frames to carry out PERCOM peripheral communication or and because the negligible amounts of PERCOM peripheral communication simultaneously.The more complex embodiments of NAT has the public ip address storehouse, and these public ip addresses are dynamically distributed to the main frame that need carry out PERCOM peripheral communication on the basis of First Come First Served.Externally equipment need send uncalled grouping to requiring fixing network address rule under the situation of specific internal unit.
Current, most of dedicated networks use the private ip address in the 10.x.x.x address realm.PERCOM peripheral communication is normally passed through the service provider, and this service provider provides service through IP network management or that share or through public the Internet.Border between public network and dedicated network, using NAT is unique address in the IP network of packet process with address modification.Simple NAT changes the entire I P address according to man-to-man mapping, this man-to-man mapping can be fix or dynamically set up for the time of communication session.
Web page server, mail server and external server all are the examples of main frame, and they need the static mapping of NAT one to one so that allow PERCOM peripheral communication to be switched to them.
The result of NAT is that the private ip address of main frame is outside sightless.This has increased safe rank.
A plurality of ports of conversion mapping are additionally used in the expansion of simple NAT, and are commonly referred to NAPT (network address port conversion) or PAT (port address conversion).The end that the point-to-point transmission of each port identification between 2 main frames connects.Utilize a large amount of world wide web (www)s that insert, occur the situation of public ip address deficiency once more, because present many desktop machines need communicate with the outside of private network.The solution of regulation allows the many-to-one mapping of private ip address to public ip address in IETF RFC 1631, thereby each connection that replaces entering into public shared network alive from special equipment all uses the unique port on public ip address to distribute (each IP address has the unique port of 64k in theory).Because the growth of the Internet, PAT is common address conversion method.
The characteristic of PAT is dynamically to carry out the distribution of private ip address/port mapping to public ip address/port, and typically each special equipment carries out being connected with the departure of public network.The result of PAT is that data can not inboundly propagate, promptly from the public network to the dedicated network, unless the connection of departures link has in advance caused that such PAT distributes and existed.Typically, PAT equipment does not carry out lasting PAT distribution.After having stopped specific " quietness " period, promptly when for the connection of that departures beginning no longer during the data of reception of inbound, the PAT of that connection just distributes and no longer carries out and this port is freely distributed to new connection.
Communicate by letter when being more prone to when the computer that connects through public IP agreement and network make, public IP agreement makes that also the destruction of maintaining secrecy with fail safe is more prone to.Utilize the computer skill of relatively small amount just can enter in individual or the secret data and file, also can the malicious damage business information.Solution to this attack in the industry is with the border of firewall configuration at dedicated network.
Fire compartment wall is designed to the type of restriction or ' filtering ' IP operation that can pass through between special use and public IP network.Fire compartment wall can be in the restricted passage rule of youngster's level applications.Restriction can be applied in IP address, port, IP host-host protocol (for example TCP or UDP) or in application.Restriction is asymmetric.Typically fire compartment wall be programmed so that the communication from dedicated network (fire compartment wall inside) to public network (fire compartment wall outside) more than the communication of other direction.
The IP address that is applied to that firewall rule is appropriate is difficult.The main frame of any inside (being your personal computer) is connected to any external host (web server) that spreads all over the world possibly.In order to allow further control, the notion of using " well-known port " solves this problem.The end that the point-to-point transmission of port identification between 2 main frames connects." well-known port " is to transmit the port of the business of " known " type.The IANA of the Internet assignment numbers management organization stipulates a plurality of well-known port and in the type of these well-known port transport services.Port 80 designated webpage surfing (http protocol) business that are used for for example, port 25 is designated as simple Mail Transfer protocol etc.
The example of the firewall filtering rule of webpage surfing is:
Any implicit IP address/any port numbers can use TCP (transmission connection protocol) and HTTP (application protocol of webpage surfing) to be connected to any external IP addresses/port 80.
Connection is two-way so that business can flow back to from web page server on same-path.These main points are that this connection is to begin internally.
The example that is used for the firewall filtering rule of Email is:
Any outside ip address/any port numbers can use TCP and SMTP to be connected to IP address 192.3.4.5/ port 25.
(simultaneously, can to change purpose IP address 192.3.4.5 be the home address 10.6.7.8 of mail server to nat feature.)
Be equivalent to remove fire compartment wall such as the filtering rule of " any implicit IP address/any port numbers can be connected to any outside ip address/any port numbers of TCP or UDP, and vice versa " and directly be connected, because it is too wide filter with using.The rule that IT manager and disapprove are such.
H.323 independently basic network and host-host protocol have been designed to.Yet H.323 enforcement is possible according to the conversion of following cardinal principle in IP network:
H.323 address: IP address
H.323 logic channel: the TCP/UDP port connects
In IP-based enforcement H.323, H.323 protocol message uses TCP or UDP host-host protocol to send as the Payload in the IP bag.Many H.323 message comprise and start end points or purpose end points or comprise the H.323 address of this two-end-point.Other signaling protocol such as SIP also is embedded in the IP address of the Payload of signaling protocol.
Yet problem appears at the apparent IP address (and port) that nat feature will change the source and destination main frame, and does not change the H.323 address in the Payload H.323.Because main frame uses the H.323 address that exchanges in the Payload H.323 and packet and this calling of relevant each reception of port, this feasible H.323 agreement interruption, and need average information to handle H.323 Payload address.
Because H.323 the complexity of multimedia communication requires to open a plurality of logic channels between end points.Call out control, capacity exchange, audio frequency, video and data and all need logic channel.In only relating to the simple point-to-point H.323 Multimedia session of audio frequency and video, need 6 logic channels at least.In IP realization H.323, the port that logic channel is mapped to TCP or UDP connects, and many channels wherein all dynamically distribute.
When firewall functionality filtered out professional in the port that is not having application rule, perhaps this fire compartment wall was open, and this makes the effect of fire compartment wall lose efficacy, perhaps majority H.323 business can not pass through.
Therefore, H.323 NAT between end points and firewall functionality all stop the communication work of (and other real-time protocol (RTP)s, as SIP and MGCP).This is arranged in the situation of different dedicated networks when end points typically, when an end points be in private network and another end points be in the internet time or when end points be situation at different IP network managements.
Therefore H.323 (and SIP, MGCP etc.) communication is very disadvantageous for fire compartment wall.Fire compartment wall must become H.323 as can be known or in the middle of some intelligence must handle the distribution of port in the mode of safety.
A kind of solution of this problem is whole H.323 infrastructure upgrading of IP.This requirement:
● in the upgrading H.323 of the nat feature on each IP network border.Nat feature must scan all H.323 Payloads and as one man change the IP address.
● in the upgrading H.323 of the firewall functionality on each IP network border.Fire compartment wall must be understood and monitor that H.323 all communicate by letter, so that it can be opened the port that dynamically distributes and must filter all non-business H.323 at these ports.
● adopt H.323 intelligent to resolve and the arbitration address on the border or in share I P network.IP is seldom directly used by the user address.Be actually the another name that uses the IP address.Need the intelligently parsing another name to be the IP address.This H.323 functional packet be contained in the H.323 entity that is called road junction guarder (Gatekeeper).
The shortcoming of this possible solution is:
● each mechanism/dedicated network must have the H.323 upgrading of the same levels of communication of existence.
● upgrading is expensive.Must buy, plan and adopt new function or new equipment.H.323 the IT manager must learn.
● along with adopting technology progressively, require than the original bigger and more expensive initial configuration of (perhaps testing) demand, the scale of this configuration can not promptly be applicable to the demand to it.
● continuous analysis H.323 packet has increased the burden of stand-by period to resolve simple NAT and firewall functionality to the signal of each network boundary.The delay tolerance of audio frequency and video is very little.
● owing to there is the multiple standards of real time communication, and each signaling protocol of these standards is different, so enterprise needs multiple upgrading, and a kind of upgrading is used for and should wants every kind of agreement using in it.
● wish that media directly propagating between the enterprise or between the enterprise of public network and equipment.Such result makes the IP address of enterprise become public knowledge.It is compromise that this is considered to a kind of safety, because must at first find IP address as the enterprise of the first step of attacking as any potential assailant.
Since these problems, the multimedia communication when H.323 agreement is not used in fire compartment wall and/or network address translation (nat).A kind of method is at the public side of fire compartment wall and nat feature with system configuration H.323.This just allows them to use H.323, also allows them to protect the remainder of its network simultaneously.The shortcoming of this method is:
1. the most of ubiquitous equipment that is used for video communication is the desktop PC.It is very absurd that all desktop computers all are configured in public side.
2. can not protect system H.323 to avoid assailant to the fire compartment wall public side.
3. owing to have only special-purpose system just to allow H.323 to communicate by letter, company can not utilize H.323 may ubiquitous characteristic.
4. the facility of the data sharing during H.323 company can not utilize fully, system will visit this data because H.323 fire compartment wall will stop.Open fire compartment wall and do not choose wantonly, because this will allow the assailant to use H.323 system as relaying to allow carrying out data converting function from system H.323.
5. in emerging IP-based voice (VoIP) market, has the market of the telephone plant of direct connection data network, for example Ethernet Phone or IP private branch exchange.Rely on desk-top characteristic, they typically are placed in fire compartment wall and the NAT dedicated network afterwards.Need not the solution to the variety of issue of narrating above, use the phone of these equipment to be limited in enterprise-specific net or the Intranet, perhaps this phone must arrive the external world by the IP-PSTN gateway.
Use broadband connection enterprise to realize that the advantage of voice and video and data communication requires the security solution to these problems.
Cisco systems white paper " Deploying is Applications in cisco Networks H.323 ", SamKohta, 1998, the interaction between NAT and the H323 agreement has been discussed.Can use fire compartment wall to be decoded in all addresses of passing through in the agreement H.323 and change, perhaps can use the accessory of agency, only allow to pass through according to the information flow of agreement H.323 as fire compartment wall.
H.323 the various schemes of implementing have been discussed in this piece article, promptly be entitled as " ITU-Tstandardization activities for interactive multimedia communications on packetbased networks:H.323 and related recommendations ", J.Toga and J.Ott, ComputerNetworks 31 (1999) 205-223.
Summary of the invention
The objective of the invention is to address these problems.
Therefore, the invention provides the communication system of the session communication of a kind of processing and purpose communication system, it comprises: first local terminal in first network; First external server in second network; One or more logic channels between first local terminal and first external server are used for transmitting the communication session of common share communication network; And the device of carrying out nat feature, communication session must be carried out the device of nat feature by this, wherein:
A) this first local terminal has the transport address that at least one is used for this communication session;
B) device of this execution nat feature is applied to network address mapping on the transport address that is connected between first local terminal and the shared communication network;
C) this system comprises the client interface agency, first local terminal that this client interface agency representative is communicated by letter with first external server;
D) this client interface agency is setting up logic channel to one or more departures connections of first external server, and described logic channel is as the control channel between the client interface agency and first external server;
Wherein:
E) this client interface agency connects described departures that to build be that dynamically departures connect;
F) but this client interface agency is related with the foundation of recognition logic interchannel in the transport address of first local terminal, wherein but the recognition logic channel is acted on behalf of in the one or more described dynamic departures connection of first external server but described recognition logic channel is based upon from client interface between the client interface agency and first external server.
According to the present invention, a kind of method of handling communication session in the communication system also is provided, this communication system comprises first local terminal in first network, first external server in second network, client interface agency between first local terminal and shared communication network, and the device of carrying out nat feature, this communication session must be by this device of carrying out nat feature, and wherein this method may further comprise the steps:
A) at the communication session that transmits on the one or more logic channels between first local terminal and first external server on the common share communication network, this first local terminal has the transport address that at least one is used for communication session;
B) make the device of carrying out nat feature will be mapped in the network address on the transport address continuously and be applied in being connected between first local terminal and the shared communication network;
C) first local terminal of using client interface agency representative to communicate by letter with first external server;
D) use the client interface agency to connect in the one or more departures to first external server and set up logic channel, described logic channel is as the control channel between the client interface agency and first external server; The method is characterized in that and may further comprise the steps:
E) the dynamic departures of using the client interface agency to be established to first external server connect;
F) but use the client interface agency to set up one or more related with the recognition logic interchannel in the transport address of first local terminal, but be somebody's turn to do the recognition logic channel between the client interface agency and first external server, described discernible logic channel is based upon the one or more described dynamic departures of acting on behalf of first external server from client interface and connects.
The logic channel sum provides communication session, and necessary NAT mapping has been created in the departures connection, and this NAT mapping can be carried out inbound and outbound traffic flow between this terminal and this external server.But the communication of travelling to and fro between first local terminal is mapped on the recognition logic channel pellucidly by first client interface agency.External server and purpose communication system communicate, just look like it be first terminal.Therefore this communication system can be used to be provided at transparent communication means between first terminal and this purpose communication system, and this external server is responsible for transmitting forward communication.
In order to allow inbound communication, set up two-way departures in advance and connect to set up the NAT mapping by TCP.
In order to allow inbound communication, send detection packet and set up the NAT mapping by UDP.
During communication session, first nat feature continue to use the network address to be mapped to being connected between first client interface agency and the external server.
Use common multiplexing technique, but the recognition logic channel can be multiplexed to one or more connections.
The example of a transport address is that the IP address adds port numbers.Therefore, the normally mapping of IP address and/or port of the mapping of the network address.
In embodiments of the invention, the first client interface proxy response is set up described association from the request of external server.
In another embodiments of the invention, the first client interface proxy response is set up described association by the request that this first client interface agency self produces.
External server itself (selectively be first client interface agency) is but also related in foundation between the described recognition logic channel of communicating by letter between this external server and this purpose communication system and this logic channel applicable to this external server of request, and this purpose communication system is such as the destination terminal.
The transport address of first local terminal is preferably dynamically distributed.Same, the transport address of this external server also can dynamically be distributed.
Selectable, the transport address of this external server can dynamically not distributed.
This communication system can comprise first fire compartment wall, and communication session must pass through this fire compartment wall.This first fire compartment wall is configured to be limited in communicating by letter of particular type between first local terminal and this common share communication network then, but is not limited in communicating by letter between first client interface agency and this external server.
At least one transport address of this external server can have at least one port of allocating (being sometimes referred to as " known ") in advance.Then, act on behalf of the described pre-assigned port of departures connection use of this external server from first client interface.
Preferably, the transport address of all external servers all has pre-assigned port, and the described departures of acting on behalf of this external server from first client interface connect the transport address that all is connected to external server.In this case, the transport address of possible all external server has two pre-assigned ports at the most.
The number of the pre-assigned port of this external server can be less than or equal the sum that dynamic assignment is given the port of terminal.For example, this external server can have three pre-assigned ports, and one is used for TCP, and two are used for UDP.
This communication system can comprise second local terminal, and this external server is the acting server between first terminal and second terminal, and it is as the agency of each terminal to another terminal during communication session.
In many cases, can have second local terminal of second fire compartment wall and/or second nat feature, this communication session must pass through this second nat feature.Second fire compartment wall then can be configured to be limited in the communication of particular type between second terminal and the public communication network.This external server then has the logic communication port that is used for a plurality of terminal communications, and for example, these terminals comprise the one or more pre-assigned port that communicates with second terminal.Second fire compartment wall then can be configured to be not limited in communicating by letter between the pre-assigned port of second terminal and this acting server, and second client interface agency is used to represent second terminal action of communicating by letter with this external server.Communication session with second client interface agency can be carried out according to the similar approach of narrating above in this second local terminal.
In addition, second terminal and second client interface agency can be connected to second external server.External server communicates by public or shared network.
The common share communication network generally includes public communication network and/or internet.
Client interface the agency can be co-located on the local terminal, or selectively, the client interface agency can be away from the local terminal.
Have each client interface agency that the present invention also is useful under the situation of local local terminal more than.The client interface agency can represent the terminal action of using identical or different real-time (or non real-time) agreements simultaneously, for example uses H.323 and Session Initiation Protocol.(for example H.323 and between the SIP) is preferably disposed on this external server or client interface agency's inside on the signaling gateway function.
Additional feature or function (for example service quality and/or the fail safe by encrypting) can offer end points pellucidly by client interface agency and external server.
This system of H.323 standard according to International Telecommunications Union can be used to carry out voice or multimedia calling.Selectively, this system can be used to carry out voice or multimedia calling according to the SIP standard of internet engineering task group.This system and method also can use the non real-time agreement to be used for setting up through fire compartment wall and NAT the communication session of other types, for example file transmits, so that make its function relate to the logic channel that dynamic foundation is discerned by the transport address, these transport addresses are addresses that do not have change that described NAT stays.And this communication system can be supported the protocol environment that mixes.
Client interface the agency can be co-located on an end points (for example PC terminal), perhaps can reside in the equipment that separates that leaves end points, its representative action.
These terminals can be fit to send and/or receive multimedia media signal and relevant multimedia control signal, and control signal is sent to a pre-assigned port, and media signal is sent to other pre-assigned port.
Preferably, at least one logic communication port is pre-assigned port, and the described request initial request of communication session to start with sends to pre-assigned port.
This communication system goes for carrying out voice or to the multimedia call of small part through the internet, in this case, this external server has a public internet protocol address, communicate by letter with this external server by one or two terminal of this address, configuring firewalls is not limited in communicating by letter between the pre-assigned port of terminal and this external server.
The present invention can be applicable under the situation with the first one or more pairs of terminals and second terminal.For example, can be connected to other second voice or multimedia terminal separately in several first voice of a website or multimedia terminal in the correspondence of a plurality of other positions.
Two terminals that the present invention allows to be arranged in dedicated network separately are through public public (or sharing) network service, and a side or two sides' dedicated network is connected to public network through the fire compartment wall and/or the NAT of the communication of restriction particular type in public network.Similarly, the present invention allows terminal in the dedicated network and the terminal communication in the public network, and wherein these two networks are that fire compartment wall and/or NAT by the communication of restriction particular type connects.
The present invention only narrates with reference to the operation between first end points and intermediate server, and first end points is called first local terminal here, and intermediate server is called external server.Reflected operation between first terminal and external server in the operation between second terminal and the external server.In addition, be directly connected to the position of public network in second terminal, this is equivalent to and is connected to dedicated network, and wherein fire compartment wall and NAT implement the zero power energy.That is, fire compartment wall does not limit any connection, and the NAT connection of using the identical address of both sides to be used to specify.
The configuration that the present invention relates to the configuration of the external server in shared or public network and in dedicated network, entrust interface proxy.This external server can be had and operated by public service provider, therefore typically adopts H.232 enterprise to provide before through the communication of private/public networks border in hope.The client interface agency can be used as the part of terminal and implements, and perhaps it can be independent of the terminal realization, but operates on the equipment identical with terminal, and perhaps it can be installed in the independent equipment.
When starting, the TCP that the client interface agency will be established to external server connects.If fire compartment wall and/or NAT one or both of exist, this connection is through fire compartment wall and/or NAT.This requires fire compartment wall to allow the address of external server and the TCP that goes out to net of well-known port to be connected.The mapping (vice versa) that NAT can provide the specific address to arrive public address is because this connection is set up in outbound direction.As a part of setting up process, external server can be differentiated oneself with the client interface agency, and this connection can be encrypted.The agreement of operation permits the multiplexed of multiple signaling protocol on this connects.H.245 and SIP H.225RAS such signaling protocol comprise, call signaling H.225, but is not limited in this.In fact, this connects for being communicated by letter between first local terminal and the external server all is enough, and the performance characteristics that TCP connects is acceptable.In case set up connection, except periodic log-on message, multiplexed connection keeps resting state with major part, till carrying out outgoing or calling call attempt.For other fail safe, this connects foundation serially and disconnects at interval with certain (weak point).The different port that each establishment of connection can be created nat feature potentially distributes and new encryption key.Thereby the assailant utilizes the chance of this connection to reduce.
Yet the transmission characteristic of multiplexed connection also is not suitable for real-time media such as audio frequency and video.These require RTP/RTCP based on UDP to be connected between client interface agency and the external server to set up.Inbound and departures the RTP/RTCP connection request in the UDP of this both direction business.For media is sent to public network from terminal through external server, H.232 external server sends message and acts on behalf of to client interface with the media of indicating this terminal to send it to terminal (using multiplexed connection through this client interface agency).(this H.232 process that can use standard by fill with address and port value (populating) H.232 each data field of message carry out, provide this terminal and client interface agency and be the illusion at the two ends of H.232 calling out) then the client interface agency must set up by fire compartment wall and/or NAT and arrive and from the UDP message exchange of external server.
This client interface agency can be connected with the UDP that known port is established to external server to the address of external server by sending the UDP message bag simply in principle.Fire compartment wall can be configured to allow this business to pass through, and NAT can set up the mapping of specific address to public address, because this connection is set up in outbound direction.Yet the equipment (such as external server) of handling a plurality of callings that relate to many UDP connections typically uses IP destination address and port, and/or IP source address is relevant with suitable calling with UDP information with port.Under the situation of this external server, all UDP messages must send to identical IP address and a known port, so that allow these data through fire compartment wall.Therefore, the IP destination address can be used for distinguishing various UDP with port and is connected.And, from the angle of this external server, NAT will be responsible for assigning for the UDP message that sends effectively at random IP source address and port.The result is that the IP source address and the port that arrive this external server will not correspond to any media channel that this external server (perhaps being the client interface agency) has been consulted by each signaling channel.
For solving this relevant issues, external server (perhaps being the client interface agency) indication client interface agency (through the multiplexed connection based on TCP) uses identical IP source and destination address and port to send detection packet to it, and the client interface agency will send the UDP message subsequently of this connection.This detection packet comprises unique token of being selected by this external server (perhaps being the client interface agency), and it allows this external server with the detection packet of reception and suitable UDP join dependency.Then, this external server can be with IP source and destination address and the port and the UDP join dependency of detection packet.After having known this address and port information, this external server can be relevant with suitable calling with the UDP message that receives with these addresses and port subsequently, this suitable calling make it can correctly send to/from this purpose communication system.In another embodiment of the present invention, token information can be multiplexed with each the UDP message bag that sends.In addition, the multichannel logic channel can multiplexing in identical UDP connection.The advantage that adopts a kind of method in back is the port utilization of saving in the client interface agency.Second advantage is to reduce by the shared bandwidth of UDP heading message, and this heading message sends in each RTP/RTCP grouping usually.Because the logicality road is multiplexed, when using more a spot of TCP to be connected with UDP, those connections can be arranged on client interface Agency's pre-assigned or known port.This makes firewall rule tightr.
In order to send data to the client interface agency from external server, just must in NAT, carry out the mapping of public address to the specific address.Because this is the typically mapping of one-to-many, NAT typically can not dynamically carry out such mapping.Yet, as can be seen, when being actually two-way at the network path that carries out setting up when the departures UDP that acts on behalf of external server from client interface as described above connects.Therefore, for the UDP that sets up agency from the external server to the client interface connects, according to setting up the same steps as of acting on behalf of the UDP connection of external server from client interface.Yet in case set up the relevant of address and port, this external server uses this information to send UDP message rather than receives UDP message.Then, the client interface agency sends UDP message to this terminal.H.232 it is that this terminal prepares to receive the UDP message from the client interface agency that the signaling of the address that use is fit to and the standard of port value can be used to.
As has been described, first client interface agency and external server provide a kind of communication system and method, and it can make first terminal communicating by letter by the NAT that do not change and fire compartment wall and purpose communication system.This realizes by following steps:
A) revise address in this agreement (H.232, SIP etc.) so that this terminal and the first client interface agent communication, just look like it be the purpose communication system, and this purpose communication system communicates by letter with external server, just look like it be first terminal; With
B) dynamically carry out 1) logic channel and 2 that uses by first terminal) but act on behalf of recognition logic interchannel relevant of external server from first client interface, but described recognition logic channel be in the dynamically departures connection of acting on behalf of external server from first client interface with 3) externally logic channel foundation between server and the purpose communication system.
Can be undertaken by external server, first client interface agency or the two modification of the address in this agreement.No matter when carry out described modification, all request and the instructions that need communicate by letter between first client interface agency and external server are so that can carry out described dynamical correlation.Transmit in these requests and the client-server protocol of instruction between first client interface agency (client) and external server (server), described client-server protocol transmits on control channel, and it also can connect in the departures of acting on behalf of external server from first client interface transmits.
When revise the address that external server is responsible for carrying out this agreement, think that first client interface agency is the main device of client-server protocol, and this external server is a subordinate.
When the two carried out protocol modification when first client interface agency and external server, they can consult or be configured to one was main device, and another is a subordinate.
Connect the identical transport address that can arrive owing to be used for the one or more departures from first client interface agency of one or more callings at this external server, and described departures connect the randomized one or more NAT of source address by making that departures connect, therefore, the detection packet that comprises known identifier is used to set up described departures and connects, and described identifier (vice versa) between first client interface agency and external server exchanges.Described identifier makes external server can finish it and need correctly send this and call out/relevant from this purpose communication system.
The present invention will narrate by example and with reference to accompanying drawing.
Description of drawings
Fig. 1 is the schematic diagram that carries out the communication system of voice or multimedia call according to the present invention between two enterprises, and wherein this client interface agency is common placement with end points;
Fig. 2 is and the similar schematic diagram of Fig. 1, except this client interface is acted on behalf of away from this end points; With
Fig. 3 is the schematic diagram of the communication system of Fig. 1 and Fig. 2, is presented in the departures connection to be used to set off and inbound logic channel of communicating by letter, in the enterprise of these logic channels between local terminal and external server.
Embodiment
With reference to proposing in the example of Fig. 1 narration to the whole H.232 replacement scheme of upgrading.Fig. 1 shows to have the communication system 1 of first enterprise 2 and second enterprise 4, they each comprise private network 6,8, these two private network all have one or more H.232 terminals 10,12.Each private network 6,8 has the private ip address that meets in the 10.x.x.x address realm.Private ip address 14,16 can produce from static allocation or dynamic assignment by common DHCP program.In private network 6,8, comprise client interface agency 11,13, GC group connector 10,12 actions respectively.If client interface agency not have to place jointly with their terminal separately, this client interface agency will have in they interior unique IP addresses of scope of dedicated network 14,16 separately so.In this case, each client interface agency 11,13 can represent multiplex terminal 10,12 actions.In Fig. 1, the client interface proxy table is shown common placement, and they are expressed as and are not common placement in Fig. 2.PERCOM peripheral communication through sharing, management or public internet 20 carries out.For carrying out PERCOM peripheral communication, first enterprise 2 has one or more public IP addresses 22, and for example in the scope that 192.1.1.1 begins, and second enterprise 4 has one or more public IP addresses 24, for example in the scope that 206.1.1.1 begins.Each enterprise has router three 2,34, be used for network address port is changed the IP address 14 that (NAPT) is applied in inside, 16 and the dynamic mapping between the port numbers of the port numbers in these addresses (special use) and external IP addresses 22,24 and the IP address (public) selected.
Table 1:
Rule | From the IP address | From port | To the IP address | To port | The | 2 |
1 | Any | Any | External server | Z | TCP | The multiplexed connection of setting off |
2 | External server | Z | Any | Any | TCP | Inbound multiplexed connection |
3 | Any | Any | External server | X | UDP | Departures media (RTP) |
4 | External server | X | Any | Any | UDP | Inbound media (RTP) |
5 | Any | Any | External server | Y | UDP | Departures media (RTCP) |
6 | External server | Y | Any | Any | UDP | Inbound media (RTCP) |
In table 1, ideally according to the port numbers X that lists by the standard recording of IANA agreement, the port numbers of Y and Z.Advantage with these ports of industrial standard port is can know that such as the intermediate equipment of fire compartment wall and router relevant media is a real time business, and can reasonably handle, for example router transmits so that reduce delay for its higher priority.
For make in first enterprise 2 H.232 terminal 10 can with second enterprise 4 in other H.232 terminal 12 communicate by letter, the shared network 20 that is connected with external server 40 must be arranged, for example connect through router three 8.External server has public IP addresses 44, for example is 45.6.7.8.External server also has new known port numbers X, Y and Z 46, and they must be agreed and registration by IANA in advance.
Fig. 3 shows the communication path between the various entities of watching from first terminal, 10, the first client interfaces agency's 11, the first fire compartment walls, 26, the first napt routers 32 and external server 40.This figure shows through fire compartment wall 26 and napt router 32 and is connected 51 in multiplexed between client interface agency 11 and the external server 40.In multiplexed connection 51 one or more logic channels 52,53.One of them is a control channel 52, and one other channel 53 transmits signaling protocols, such as H.225RAS, and call signaling H.225, H.245, SIP and MGCP.As the part of operation of narration below, client interface agency 11 sends to external server 40 with detection packet 55, and is based upon terminal 10 and is connected 56,57 with UDP between the external server 40.One or more logic channels can be multiplexed to UDP and connect 56,57, so that transmit the media such as RTP and RTCP.
Client interface agency 11 can require to operate with one of various modes according to operation.In principle it can be the unknowable or agreement of agreement as can be known.If it is unknowable that it is an agreement, external server 40 will order client interface agency 11 to open and close the UDP socket of any needs.This is a pattern the most flexibly, because its allows to adopt the terminal of New Deal to be increased in the dedicated network, and the client interface agency 11 that do not need to upgrade.Yet, there be not suitable looking after, when the third party opens the UDP channel for wrongful purpose indication client interface agency, this security threat will occur.For this reason, if adopt this pattern, advise that this client interface agency 11 carries out the examination of some forms at least.If client interface agency 11 be agreement as can be known, it can distribute port by external server 40 orders the time so, and need not carry out relay function till it observes the appropriate protocol signaling, just is being used to the application of permitting to indicate these ports.And, client interface agency 11 is that agreement is as can be known the time, do not need external server be agreement as can be known, because the client interface agency has all intelligence now, carry out necessary being correlated with according to this intelligence request external server, so that it can be provided at the correct forwarding between logic channel and the purpose communication system (for example calling out), these logic channels are to be based upon from client interface to act on behalf of in the connection of departures of external server.This pattern is safer, but considers that employing new application or application upgrade are then more dumb.For for simplicity, suppose in the example of narrating below that client interface agency 11 is in the unknowable pattern operation of agreement.
When starting client interface and act on behalf of 11, is connected to the address of external server 44,46 and the departures TCP of port by beginning, it sets up multiplexed connection 51 as the communication channel that arrives external server 40.(typically this connection is checking and encrypts, but these contents exceed the application's scope.)
Multiplexed connection 51 can transmit the information that belongs to a plurality of TCP and UDP session 52,53.Some logic channels in multiplexed connection 51 distribute statically, and particularly control channel 52.Other logic channel can dynamically be set up when needing occurring.Some logic channels 53 are transferred to terminal 10 by client interface agency 11 or transfer from terminal.Utilize each this logic channel/client interface agency 11 (or depend on be embodied as external server) to be correlated with IP address and port that between client interface agency 11 and terminal 10 use specific T CP or UDP be connected.In other words, client interface agency carries out in the transport address of terminal relevant with between the transport address of its inherent logic channel one end.
As the part of initial configuration, external server 40 can indicate client interface agency 11 to set up a plurality of sockets, with the outgoing call of intercepting log-on message and coming self terminal 10.
If terminal 10 is attempted subsequently to gateway or server registers, this message (H.225RAS, SIP register etc.) can send to client interface agency 11.Client interface agency 11 is forwarded to external server 40 through logic channel 52 or 53 with this registration message.Use reverse route to send all responses.External server 40 is with the transport address of the multiplexed connection 51 of storage terminal dedicated transmissions address 14 and identifier or reception registration.When needing occurring, this information enough arrives this terminal with the calling call forward.
In order to set up incoming call, external server 40 needs to set up through client interfaces agency 11 the calling control channel (H.323 or the H.225 calling of SIP control) of incoming terminal 10.If externally there is not suitable logic channel 53 in server 40 and client interface agency between 11, this logic channel is with the object lesson explanation.As the part of this process, the dedicated transmissions address of designated terminal (IP address and port) 14, TCP or UDP that client interface agency 11 will be established to this dedicated transmissions address connect.The message that need set up logic channel 53 use control logic channel 52 externally server 40 exchange between acting on behalf of 11 with client interface.
-the dawn is set up the logic channel that is used for call control signalling, and H.323/SIP external server 40 can send sets up call information (foundation H.323, the invitation of SIP etc.) to client interface agency 11.The client interface agency then uses TCP or UDP connection 54 to give terminal 10 with this forwards, and TCP or UDP connect 54 and set up when creating logic channel 53.
Under situation H.323, externally may need between server 40 and the terminal 10 to set up H.245 to be connected.Address packet in the terminal that this connection will be connected to 10 are contained in by terminal 10 and send it back in the response to external server 40.If external server 40 selects to set up so H.245 session, it sets up new logic channel 53 to set up the mode identical with call signaling channel so.As the part of this process, client interface agency 11 will be established to the private ip address of appointment in the terminal response and the TCP of port is connected.
For outgoing call, when connecting and send establishment call information (foundation H.323, the invitation of SIP etc.), terminal 10 acts on behalf of at 11 o'clock to client interface, can between terminal 10 and external server 40, set up signaling paths.If there is not the logic channel 53 of this connection type in multiplexed connection 51, so this logic channel can use control channel 52 to be set up by client interface agency 11.Client interface agency 11 arrives external server 40 with message relay then.
If require the independent H.245 connection of outgoing call, external server 40 will be set up new logic channel 53 in multiplexed connection 51, and the receipts socket is detectd in indication client interface agency 11 foundation.The address of the socket of being set up and port value return to external server 40, and it is included in response, and this is set up in the H.323 signaling that sends in the message.This information makes terminal 10 can be connected to by what client interface agency 11 was created and detects the receipts socket.
In case set up the calling control path of required calling or outgoing, may need to set up departures and inbound media paths.The media paths of the IP-based multimedia application of all current definition as previously mentioned, (comprising H.323 SIP and MGCP) is all used RTP.RTP is based on UDP's, and unidirectional RTP connection request is set up forward direction and reverse UDP path.Therefore, need to set up from terminal 10 to external server 40 UDP path through client interface agency 11, and again through client interface agency 11 from external server 40 to terminal 10 UDP path.In addition, RTP and the RTCP connection request fixed relationship between the port that they use.Therefore, except can open the single port at every turn, it is right also must be able to open udp port, and this port is relevant to having necessary RTP/RTCP port numbers.Therefore, when following description was opened single connection, identical principle was applicable to asking simultaneously and to open port right.
H.323 agreement is used in following discussion supposition.The order of the relative control messages of protocol message can be different for other agreements (such as SIP and MGCP), but principle is identical.
In order to be based upon the UDP path between terminal 10 and the external server 40, external server 40 indication client interfaces agencies 11 10 udp ports that can connect (or port to) that open a terminal.External server 40 is also specified a token, and client interface agency 11 is with this token and this join dependency.
Success open port the time, client interface agency 11 gives the signs of external server 40 these ports of indication.Then external server can send required signaling command so that open media channel (as the H.245 open logical channel under in situation H.323), this channel package is contained in private ip address and the port on the client interface agency 11, and terminal 10 sends to client interface agency 11 with its UDP message.When receiving this order, use to be used for the connection that this purpose is set up in advance, client interface is acted on behalf of this command auto repeat to this terminal.
Method of operating is connected similar with inbound UDP.External server 40 indication client interfaces agency 11 opens and can be used for sending UDP message to the port of terminal 10 (or port to).The sign of client interface agency 11 notice external servers 40 these ports.40 of external servers can be included in this information in the specific signaling command of agreement, so that open the media channel (for example H.245 open logical channel under situation H.323) that sends to terminal 10 through client interface agency 11.Terminal 10 will be replied this order, for this connection provides its private ip address and port that will receive UDP message.This message relay is got back to external server 40.External server 40 can be notified the client interface agency 11 pairs of addresses that the relaying UDP message is wanted in this connection then.And, in order to set up public address among the NAT to the mapping of specific address, external server 40 request client interfaces agencies 11 for this connection transmission detection packet 55 to the external server 40 that comprises token.This has just set up the mapping of specific address to public address, can be used as the mapping of the public address of the data that in the opposite direction send to the specific address conversely.External server 40 uses the token in the detection packet 55 to determine that session 57 hereto should send UDP message to that NAT address and port.External server 40 can begin to send the UDP media now to this address.NAT is relayed to client interface agency 11 with this address, and it arrives terminal 10 (as project 56) in this address of relaying again, thereby finishes this connection.
When no longer needing UDP to connect, external server 40 will indicate client interface agency 11 to close relevant socket.When not having data to pass through them, any specific address among the NAT is finally overtime to the mapping of public address.
In this explanation of the present invention, we suppose that external server is the single equipment with single IP address.In other embodiments of the invention, ' external server ' can be a plurality of crew-served equipment.In addition, external server equipment can each all have one or more IP address.In the place of using a plurality of IP address, common practice is to distribute them from the single subnet network, and then the programming of firewall rule becomes to specify and arrives and from the port of the permission of sub-network, rather than single IP address.
Notice that H.323 the private ip address of terminal in fact can be identical with the public ip address and the port numbers of its mapping with port numbers, mapping is transparent in this case.
The advantage of the method for narrating above is:
● NAT and firewall functionality do not need to upgrade.
● the stand-by period of signal keeps minimum.
● mechanism only needs the unknowable client interface agency of agreement, and client interface the agency can use with any suitable real-time protocol (RTP).
● the IP address of enterprise can publicly not known by calling out to become with this enterprise.
● service quality and other can be implemented by part ground based on the policy of using (for example broadband application), and do not need the solution end to end of single unanimity.For example, external server can indicate the client interface agent processes else to call out an interior media flow having specific QOS level, use is suitable for the method that is connected between client interface agency and the external server, and external server can be mapped to it its available corresponding QOS rank in the core network.Equally, method of encrypting can use client interface agency with safety device between, have nothing to do with the security mechanism of the miscellaneous part that is used for this calling (branch line).
In a word, the invention provides the method and system of H.323 (or end points of other real-time protocol (RTP)s adaptations) terminal that allows to be arranged in the private IP network network: needn't take into account existing security process and measure; Do not need the existing fire compartment wall of upgrading, router and agency; And allow whole NAT all to be applied in the IP connection, need not to translate or understand the nat feature of employed communication protocol.Use one to share or public IP network, the H.323 equipment that the present invention also allows the standard in a dedicated network through agreement independently the client interface agency and again through acting server H.323 with in identical or different special-purpose and/or public IP network other H.323 terminal communicate.
Therefore the shared resource in the share I P network can be subscribed by mechanism.Cost keeps minimum and fail safe is without prejudice.
Claims (27)
1. the communication system of the communication session of processing and purpose communication system, it comprises: first local terminal in first network; First external server in second network; One or more logic channels between first local terminal and first external server are used for transmitting the communication session of common share communication network; And the device of carrying out nat feature, communication session must be carried out the device of nat feature by this, wherein:
I) this first local terminal has the transport address that at least one is used for communication session;
Ii) the device of this execution nat feature is applied to network address mapping on the transport address that is connected between first local terminal and the shared communication network;
Iii) this system comprises the client interface agency, first local terminal that this client interface agency representative is communicated by letter with first external server;
Iv) this client interface agency is setting up logic channel to one or more departures connections of first external server, and described logic channel is as the control channel between the client interface agency and first external server;
It is characterized in that:
V) this client interface agency connects described departures that to build be that dynamically departures connect;
Vi) but this client interface agency sets up related in the transport address of first local terminal with the recognition logic interchannel, wherein but the recognition logic channel is acted on behalf of in the one or more described dynamic departures connection of first external server but described recognition logic channel is based upon from client interface between this client interface agency and first external server.
2. method of handling communication session in the communication system, this communication system comprises first local terminal in first network, first external server in second network, client interface agency between first local terminal and shared communication network, and the device of carrying out nat feature, this communication session must be by this device of carrying out nat feature, and wherein this method may further comprise the steps:
I) at the communication session that transmits on the one or more logic channels between first local terminal and first external server on the common share communication network, this first local terminal has the transport address that at least one is used for communication session;
Ii) make the device of carrying out nat feature will be mapped in the network address on the transport address continuously and be applied in being connected between first local terminal and the shared communication network;
First local terminal of iii) using client interface agency representative to communicate by letter with this first external server;
Iv) use the client interface agency to connect in the one or more departures to this first external server and set up logic channel, described logic channel is as the control channel between the client interface agency and first external server;
The method is characterized in that and may further comprise the steps:
V) using the client interface agency to set up is connected with the dynamic departures of this first external server;
But vi) use the client interface agency to set up one or more related with the recognition logic interchannel in the transport address of first local terminal, but be somebody's turn to do the recognition logic channel between client interface agency and this first external server, act on behalf of in the one or more described dynamic departures connection of this first external server but described recognition logic channel is based upon from client interface.
3. method according to claim 2, wherein the client interface proxy response is set up described association from the request of first external server.
4. method according to claim 2, wherein described association is set up in the request that himself produces of client interface proxy response.
5. according to the described method of any claim of claim 2 to 4, but wherein this first external server itself or this first external server of client interface proxy requests are set up related between described recognition logic channel and the logic channel of communicating by letter with the purpose communication system.
6. method according to claim 5, wherein this communication system is included in the client-server protocol on the control channel, it is characterized in that:
Client-the server protocol of control channel be used to start (a) logic channel of the communication of using by first local terminal with act on behalf of at client interface and this first external server between (b) but the dynamically associating of recognition logic channel, with dynamically associating at (c) logic channel of communicating by letter between this first external server and the purpose communication system,. but described recognition logic channel is based upon from client interface and acts on behalf of in the one or more described dynamic departures connection of this first external server, thereby this first local terminal is positioned at the transport address of this first external server, and this purpose communication system is positioned at client interface agency's transport address.
7. method according to claim 6, wherein further comprising the steps of: the main external server that first external server is configured to client-server protocol, and be modified in the transport address of transmitting in the real-time or non real-time agreement, this first local terminal and client interface agency communicate, the client interface agency is connected with first local terminal as the purpose communication system, and makes this purpose communication system use the connection protocol of first local terminal of communicating by letter with first external server.
8. method according to claim 6, wherein further comprising the steps of: that the client interface proxy configurations is held in the palm interface proxy for the head of a committee of client-server protocol, and be modified in the transport address of transmitting in the real-time or non real-time agreement, this first local terminal and client interface agency communicate, the client interface agency is connected with first local terminal as the purpose communication system, and makes this purpose communication system use the connection protocol of first local terminal of communicating by letter with first external server.
9. method according to claim 8, wherein the transport address of first local terminal is a dynamic assignment.
10. method according to claim 9, wherein the transport address of this first external server is dynamically distributed.
11. method according to claim 9, wherein all transport addresses of this first external server are static allocation.
12. method according to claim 11, wherein this communication system comprises fire compartment wall, communication session must pass through this fire compartment wall, this firewall restriction the communicating by letter of particular type between first local terminal and shared communication network, but be not limited in communicating by letter between client interface agency and this first external server.
13. method according to claim 12, wherein at least one transport address of this first external server has at least one pre-assigned port, and acts on behalf of the described pre-assigned port of departures connection use of this first external server from client interface.
14. method according to claim 13, wherein all transport addresses of this first external server all have pre-assigned port.
15. method according to claim 14, wherein all transport addresses of this first external server have two pre-assigned ports at the most.
16. method according to claim 15, wherein all transport addresses of this client interface agency are all dynamically distributed.
17. method according to claim 15 is wherein acted on behalf of at least one transport address that the departures of external server connect from this client interface and is used pre-assigned port.
18. method according to claim 15 is wherein acted on behalf of all transport addresses that the departures of external server connect from this client interface and is all had pre-assigned port.
19. method according to claim 18, wherein this communication system comprises second local terminal in the 3rd network, and this first external server is the acting server between first local terminal and second local terminal, it during communication session for the agency of each terminal as another terminal.
20. method according to claim 18, wherein this communication system comprises second local terminal and second external server in the 3rd network, this second external server is as the agency of second local terminal, and communicating by letter between first external server and second external server is through public network or common share communication network.
21. method according to claim 20, wherein this common share communication network comprises this public communication network.
22. method according to claim 21, wherein this common share communication network comprises the internet.
23. method according to claim 22, wherein this client interface agency places with one of local terminal is common.
24. method according to claim 22, wherein this client interface agency is away from the local terminal.
25. method according to claim 24 wherein has more than one local terminal to be used for the client interface agency.
26. method according to claim 25, wherein the terminal action of different real-time and/or non real-time agreements is used in this client interface agency representative simultaneously.
27. method according to claim 26, wherein this first external server is represented terminal and/or the client interface agent actions that uses different real-time and/or non real-time agreements simultaneously.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0029179A GB2369746A (en) | 2000-11-30 | 2000-11-30 | Communications system with network address translation |
GB0029179.9 | 2000-11-30 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1470119A CN1470119A (en) | 2004-01-21 |
CN1262095C true CN1262095C (en) | 2006-06-28 |
Family
ID=9904157
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN01817225.3A Expired - Fee Related CN1262095C (en) | 2000-11-30 | 2001-11-29 | Communications system |
Country Status (11)
Country | Link |
---|---|
US (2) | US7512708B2 (en) |
EP (2) | EP1338127B1 (en) |
JP (1) | JP3757399B2 (en) |
CN (1) | CN1262095C (en) |
AT (1) | ATE301362T1 (en) |
AU (2) | AU2002218404B2 (en) |
CA (1) | CA2422764C (en) |
DE (1) | DE60112469T2 (en) |
GB (1) | GB2369746A (en) |
HK (1) | HK1055364A1 (en) |
WO (1) | WO2002045373A2 (en) |
Families Citing this family (123)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100208634A1 (en) * | 1994-10-11 | 2010-08-19 | Arbinet Corporation | System and Method For Managing Multimedia Communications Across Convergent Networks |
US6738382B1 (en) * | 1999-02-24 | 2004-05-18 | Stsn General Holdings, Inc. | Methods and apparatus for providing high speed connectivity to a hotel environment |
US6980526B2 (en) | 2000-03-24 | 2005-12-27 | Margalla Communications, Inc. | Multiple subscriber videoconferencing system |
GB2362482A (en) * | 2000-05-15 | 2001-11-21 | Ridgeway Systems & Software Lt | Direct slave addressing to indirect slave addressing |
GB2365256A (en) | 2000-07-28 | 2002-02-13 | Ridgeway Systems & Software Lt | Audio-video telephony with port address translation |
GB2369746A (en) | 2000-11-30 | 2002-06-05 | Ridgeway Systems & Software Lt | Communications system with network address translation |
WO2002091692A1 (en) * | 2001-04-13 | 2002-11-14 | Girard Gregory D | Ditributed edge switching system for voice-over-packet multiservice network |
US20030018814A1 (en) * | 2001-06-29 | 2003-01-23 | Yung-Chung Kao | Method of letting a single LAN port voice over IP device have network address translation function |
US7006436B1 (en) * | 2001-11-13 | 2006-02-28 | At&T Corp. | Method for providing voice-over-IP service |
US7506058B2 (en) * | 2001-12-28 | 2009-03-17 | International Business Machines Corporation | Method for transmitting information across firewalls |
JP4659077B2 (en) * | 2002-02-26 | 2011-03-30 | 株式会社リコー | Mediation apparatus, image forming apparatus management system, image forming apparatus management method, image forming apparatus management program, and recording medium |
US7480937B2 (en) | 2002-02-26 | 2009-01-20 | Ricoh Company, Ltd. | Agent device, image-forming-device management system, image-forming-device management method, image-forming-device management program, and storage medium |
US7280531B2 (en) * | 2002-04-29 | 2007-10-09 | Iwatsu Electric Co., Ltd. | Telephone communication system |
US7937471B2 (en) | 2002-06-03 | 2011-05-03 | Inpro Network Facility, Llc | Creating a public identity for an entity on a network |
US20030233471A1 (en) * | 2002-06-17 | 2003-12-18 | Julian Mitchell | Establishing a call in a packet-based communications network |
US20040047340A1 (en) * | 2002-07-16 | 2004-03-11 | Hanspeter Ruckstuhl | Method for address conversion in packet networks, control element and address converter for communication networks |
TW574805B (en) * | 2002-07-25 | 2004-02-01 | Leadtek Research Inc | Network address translation system and method thereof |
GB2391742B (en) * | 2002-08-07 | 2004-07-07 | Samsung Electronics Co Ltd | Network adress translation router for voice over internet protocol system |
US7152111B2 (en) * | 2002-08-15 | 2006-12-19 | Digi International Inc. | Method and apparatus for a client connection manager |
US8234358B2 (en) * | 2002-08-30 | 2012-07-31 | Inpro Network Facility, Llc | Communicating with an entity inside a private network using an existing connection to initiate communication |
AU2003276869A1 (en) | 2002-09-09 | 2004-03-29 | Netrake Corporation | System for allowing network traffic through firewalls |
CN100388709C (en) * | 2002-11-28 | 2008-05-14 | 中兴通讯股份有限公司 | A method for connecting from local area network |
KR100511479B1 (en) * | 2002-12-27 | 2005-08-31 | 엘지전자 주식회사 | SIP service method in network with NAT |
US7363381B2 (en) * | 2003-01-09 | 2008-04-22 | Level 3 Communications, Llc | Routing calls through a network |
US7020130B2 (en) * | 2003-03-13 | 2006-03-28 | Mci, Inc. | Method and apparatus for providing integrated voice and data services over a common interface device |
US7949785B2 (en) * | 2003-03-31 | 2011-05-24 | Inpro Network Facility, Llc | Secure virtual community network system |
US20040249973A1 (en) * | 2003-03-31 | 2004-12-09 | Alkhatib Hasan S. | Group agent |
US20040249974A1 (en) * | 2003-03-31 | 2004-12-09 | Alkhatib Hasan S. | Secure virtual address realm |
US7454510B2 (en) * | 2003-05-29 | 2008-11-18 | Microsoft Corporation | Controlled relay of media streams across network perimeters |
DE10329877A1 (en) * | 2003-07-02 | 2005-01-27 | Siemens Ag | Method for operating a voice terminal at a remote PBX, communication device and voice terminal |
CN1571440A (en) * | 2003-07-25 | 2005-01-26 | 中兴通讯股份有限公司 | A system and method for implementing multimedia call crossing private network |
CN100440886C (en) * | 2003-09-02 | 2008-12-03 | 华为技术有限公司 | Method for realizing multimedia protocol passing through network address translation device |
US7886348B2 (en) * | 2003-10-03 | 2011-02-08 | Verizon Services Corp. | Security management system for monitoring firewall operation |
US7421734B2 (en) * | 2003-10-03 | 2008-09-02 | Verizon Services Corp. | Network firewall test methods and apparatus |
US7853996B1 (en) * | 2003-10-03 | 2010-12-14 | Verizon Services Corp. | Methodology, measurements and analysis of performance and scalability of stateful border gateways |
US7886350B2 (en) | 2003-10-03 | 2011-02-08 | Verizon Services Corp. | Methodology for measurements and analysis of protocol conformance, performance and scalability of stateful border gateways |
TWI225740B (en) * | 2003-10-06 | 2004-12-21 | Inst Information Industry | High-speed separating H.323 packet method |
US7694127B2 (en) | 2003-12-11 | 2010-04-06 | Tandberg Telecom As | Communication systems for traversing firewalls and network address translation (NAT) installations |
CN100399768C (en) * | 2003-12-24 | 2008-07-02 | 华为技术有限公司 | Method for implementing NAT traversing and system thereof |
US20050207433A1 (en) * | 2004-01-09 | 2005-09-22 | Camelot Technology Associates Ltd. | Video communication systems and methods |
FR2865335A1 (en) * | 2004-01-16 | 2005-07-22 | France Telecom | Internal and external internet protocol terminals communication system, has control server that is provided in public IP network and that controls mediation system via communication channel passing via firewall |
JP3835462B2 (en) * | 2004-05-07 | 2006-10-18 | 松下電器産業株式会社 | Information processing apparatus and bubble packet transmission method |
SE534807C2 (en) * | 2004-05-14 | 2011-12-27 | Klap Worldwide Corp Trident Chambers | Mobile communication network for providing a mobile station with a fixed IP address |
EP1613024A1 (en) * | 2004-06-29 | 2006-01-04 | Alcatel Alsthom Compagnie Generale D'electricite | Method and call server for establishing a bidirectional peer-to-peer communication link |
TWI241808B (en) * | 2004-07-28 | 2005-10-11 | Realtek Semiconductor Corp | Network address-port translation apparatus and method for IP fragment packets |
CN1728628B (en) * | 2004-07-30 | 2010-05-12 | 迈普通信技术股份有限公司 | Multiplexing method of security proxy channel, and multiplexing server of security proxy channel |
US9189307B2 (en) | 2004-08-06 | 2015-11-17 | LiveQoS Inc. | Method of improving the performance of an access network for coupling user devices to an application server |
US8437370B2 (en) | 2011-02-04 | 2013-05-07 | LiveQoS Inc. | Methods for achieving target loss ratio |
US8009696B2 (en) * | 2004-08-06 | 2011-08-30 | Ipeak Networks Incorporated | System and method for achieving accelerated throughput |
US9647952B2 (en) | 2004-08-06 | 2017-05-09 | LiveQoS Inc. | Network quality as a service |
US7953114B2 (en) * | 2004-08-06 | 2011-05-31 | Ipeak Networks Incorporated | System and method for achieving accelerated throughput |
US20060106929A1 (en) * | 2004-10-15 | 2006-05-18 | Kenoyer Michael L | Network conference communications |
US7545435B2 (en) * | 2004-10-15 | 2009-06-09 | Lifesize Communications, Inc. | Automatic backlight compensation and exposure control |
US8149739B2 (en) * | 2004-10-15 | 2012-04-03 | Lifesize Communications, Inc. | Background call validation |
US9781274B2 (en) * | 2004-10-26 | 2017-10-03 | Cisco Technology, Inc. | Providing a proxy server feature at an endpoint |
US7823196B1 (en) | 2005-02-03 | 2010-10-26 | Sonicwall, Inc. | Method and an apparatus to perform dynamic secure re-routing of data flows for public services |
US8037204B2 (en) * | 2005-02-11 | 2011-10-11 | Cisco Technology, Inc. | Method and system for IP train inauguration |
US20060190992A1 (en) * | 2005-02-24 | 2006-08-24 | Microsoft Corporation | Facilitating Bi-directional communications between clients in heterogeneous network environments |
US7543065B2 (en) * | 2005-03-15 | 2009-06-02 | Microsoft Corporation | Method and system for reducing the number of ports allocated by a relay |
CN100438693C (en) * | 2005-03-21 | 2008-11-26 | 华为技术有限公司 | Service access method for packet domain |
WO2006116013A2 (en) * | 2005-04-22 | 2006-11-02 | Pandit Shrihari B | Methods and systems for communicating voice, audio, video, text and/or multimedia data |
CN100450111C (en) * | 2005-04-25 | 2009-01-07 | 华为技术有限公司 | System and method for interconnection between private network users and other networks with qualified business service |
US7856504B2 (en) * | 2005-05-11 | 2010-12-21 | Sony Corporation | Server device, inter-server device connection method, program, and recording medium |
DE102005035733A1 (en) * | 2005-07-29 | 2007-02-01 | Siemens Ag | Method for data exchange between network elements |
US20070047699A1 (en) * | 2005-08-29 | 2007-03-01 | Nortel Networks Limited | Separation of session and session control |
WO2007040428A1 (en) * | 2005-10-04 | 2007-04-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for providing messaging using appropriate communication protocol |
EP1952299A4 (en) * | 2005-10-07 | 2010-10-13 | Codeux Inc | Port access using user datagram protocol packets |
US9374342B2 (en) | 2005-11-08 | 2016-06-21 | Verizon Patent And Licensing Inc. | System and method for testing network firewall using fine granularity measurements |
US8027251B2 (en) | 2005-11-08 | 2011-09-27 | Verizon Services Corp. | Systems and methods for implementing protocol-aware network firewall |
FR2895621A1 (en) | 2005-12-23 | 2007-06-29 | France Telecom | METHOD AND GATEWAY CONNECTING IP COMMUNICATION ENTITIES THROUGH A RESIDENTIAL GATEWAY |
US8331263B2 (en) * | 2006-01-23 | 2012-12-11 | Microsoft Corporation | Discovery of network nodes and routable addresses |
KR100785307B1 (en) * | 2006-02-01 | 2007-12-12 | 삼성전자주식회사 | Redirection transport system and method in internet protocol private branch exchange |
US9021134B1 (en) * | 2006-03-03 | 2015-04-28 | Juniper Networks, Inc. | Media stream transport conversion within an intermediate network device |
US20080002711A1 (en) * | 2006-06-30 | 2008-01-03 | Bugenhagen Michael K | System and method for access state based service options |
CN101132353A (en) * | 2006-08-23 | 2008-02-27 | 华为技术有限公司 | Signaling transmission method and device |
US7706373B2 (en) * | 2006-11-01 | 2010-04-27 | Nuvoiz, Inc. | Session initiation and maintenance while roaming |
US8966619B2 (en) * | 2006-11-08 | 2015-02-24 | Verizon Patent And Licensing Inc. | Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering |
US9473529B2 (en) | 2006-11-08 | 2016-10-18 | Verizon Patent And Licensing Inc. | Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using method vulnerability filtering |
US20080205388A1 (en) * | 2007-02-22 | 2008-08-28 | Microsoft Corporation | Discovery of network devices logically located between a client and a service |
JP4740898B2 (en) * | 2007-05-31 | 2011-08-03 | 日本電信電話株式会社 | Third-party call control (3PCC) system and 3PCC implementation method in an IP communication network having a plurality of IP address systems |
US8302186B2 (en) | 2007-06-29 | 2012-10-30 | Verizon Patent And Licensing Inc. | System and method for testing network firewall for denial-of-service (DOS) detection and prevention in signaling channel |
US8522344B2 (en) * | 2007-06-29 | 2013-08-27 | Verizon Patent And Licensing Inc. | Theft of service architectural integrity validation tools for session initiation protocol (SIP)-based systems |
US8195806B2 (en) * | 2007-07-16 | 2012-06-05 | International Business Machines Corporation | Managing remote host visibility in a proxy server environment |
US9661267B2 (en) * | 2007-09-20 | 2017-05-23 | Lifesize, Inc. | Videoconferencing system discovery |
TW200915784A (en) * | 2007-09-28 | 2009-04-01 | D Link Corp | Method of using a router as a relay proxy |
JP4540720B2 (en) * | 2008-04-02 | 2010-09-08 | 株式会社エヌ・ティ・ティ・ドコモ | Data communication terminal, proxy device, data communication system, and data communication method |
US8005098B2 (en) * | 2008-09-05 | 2011-08-23 | Cisco Technology, Inc. | Load balancing across multiple network address translation (NAT) instances and/or processors |
EP2166726A1 (en) * | 2008-09-18 | 2010-03-24 | Thomson Telecom Belgium | A method and a gateway for providing multiple internet access |
US8165077B2 (en) * | 2008-09-26 | 2012-04-24 | Microsoft Corporation | Delegation of mobile communication to external device |
US20100180334A1 (en) * | 2009-01-15 | 2010-07-15 | Chen Jy Shyang | Netwrok apparatus and method for transfering packets |
US8305421B2 (en) * | 2009-06-29 | 2012-11-06 | Lifesize Communications, Inc. | Automatic determination of a configuration for a conference |
JP4635095B2 (en) * | 2009-06-30 | 2011-02-16 | 株式会社東芝 | Communication system and server device thereof |
US9167275B1 (en) | 2010-03-11 | 2015-10-20 | BoxCast, LLC | Systems and methods for autonomous broadcasting |
WO2012023886A1 (en) * | 2010-08-17 | 2012-02-23 | Telefonaktiebolaget L M Ericsson (Publ) | NODE AND METHOD FOR AoIP ADDRESS CHANGE |
WO2012096963A1 (en) | 2011-01-10 | 2012-07-19 | Fiberlink Communications Corporation | System and method for extending cloud services into the customer premise |
US10951743B2 (en) | 2011-02-04 | 2021-03-16 | Adaptiv Networks Inc. | Methods for achieving target loss ratio |
US9590913B2 (en) | 2011-02-07 | 2017-03-07 | LiveQoS Inc. | System and method for reducing bandwidth usage of a network |
US8717900B2 (en) | 2011-02-07 | 2014-05-06 | LivQoS Inc. | Mechanisms to improve the transmission control protocol performance in wireless networks |
US20130077618A1 (en) * | 2011-09-23 | 2013-03-28 | Cisco Technology, Inc. | Expeditious resource reservation protocol |
EP2803181A1 (en) * | 2012-01-09 | 2014-11-19 | Qualcomm Incorporated | Cloud computing controlled gateway for communication networks |
US8978126B2 (en) * | 2012-10-29 | 2015-03-10 | Blackberry Limited | Method and system for TCP turn operation behind a restrictive firewall |
CN103532935B (en) * | 2013-09-28 | 2017-01-18 | 福建星网锐捷软件有限公司 | Domain strategy-based P2P (Peer-to-Peer) streaming media transmission control method |
CN104869065B (en) * | 2014-02-26 | 2020-04-21 | 中兴通讯股份有限公司 | Data message processing method and device |
CN104869144A (en) * | 2014-02-26 | 2015-08-26 | 联想(北京)有限公司 | Information sharing method and electronic equipment |
US20160072839A1 (en) * | 2014-09-05 | 2016-03-10 | Salesforce.Com, Inc. | Facilitating dynamic management of participating devices within a network in an on-demand services environment |
US10257159B2 (en) * | 2014-12-04 | 2019-04-09 | Belkin International, Inc. | Methods, systems, and apparatuses for providing a single network address translation connection for multiple devices |
US10063439B2 (en) | 2014-09-09 | 2018-08-28 | Belkin International Inc. | Coordinated and device-distributed detection of abnormal network device operation |
US20160072764A1 (en) * | 2014-09-10 | 2016-03-10 | T-Mobile Usa, Inc. | Dynamic double network address translator |
US10270840B2 (en) * | 2015-01-01 | 2019-04-23 | Bank Of America Corporation | Modular system for holistic data transmission across an enterprise |
CN104811473B (en) * | 2015-03-18 | 2018-03-02 | 华为技术有限公司 | A kind of method, system and management system for creating virtual non-volatile storage medium |
WO2016176434A1 (en) * | 2015-04-28 | 2016-11-03 | Duke Manufacturing Co. | System and apparatus for connecting kitchen components |
US10038651B2 (en) | 2015-09-05 | 2018-07-31 | Nevion Europe As | Asynchronous switching system and method |
US10021589B2 (en) * | 2016-01-26 | 2018-07-10 | Sprint Communications Company L.P. | Wireless data system that associates internet protocol ports with quality-of-service for user applications |
US10154317B2 (en) | 2016-07-05 | 2018-12-11 | BoxCast, LLC | System, method, and protocol for transmission of video and audio data |
US10511521B2 (en) | 2016-08-03 | 2019-12-17 | Anchorfree Inc. | System and method for virtual multipath data transport |
US20180234506A1 (en) * | 2017-02-14 | 2018-08-16 | Gu Zhang | System and methods for establishing virtual connections between applications in different ip networks |
US10931720B2 (en) | 2017-06-08 | 2021-02-23 | Avaya Inc. | IP tolerance and signaling interworking |
US10938786B2 (en) | 2017-12-01 | 2021-03-02 | Twingate Inc. | Local interception of traffic to a remote forward proxy |
US10834138B2 (en) | 2018-08-13 | 2020-11-10 | Akamai Technologies, Inc. | Device discovery for cloud-based network security gateways |
CN109474667B (en) * | 2018-10-12 | 2021-05-25 | 广州雷迅创新科技股份有限公司 | Unmanned aerial vehicle communication method based on TCP and UDP |
US10951589B2 (en) * | 2018-12-06 | 2021-03-16 | Akamai Technologies, Inc. | Proxy auto-configuration for directing client traffic to a cloud proxy |
JP7188046B2 (en) * | 2018-12-14 | 2022-12-13 | 富士フイルムビジネスイノベーション株式会社 | Communication system, communication device, communication system program and communication program |
CN116346924A (en) * | 2021-12-24 | 2023-06-27 | 北京字节跳动网络技术有限公司 | Network request processing method, device, equipment and storage medium |
Family Cites Families (68)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA1259430A (en) * | 1985-07-19 | 1989-09-12 | Fumio Akashi | Multipoint communication system having polling and reservation schemes |
US5301320A (en) | 1991-06-28 | 1994-04-05 | Digital Equipment Corporation | Workflow management and control system |
US5282222A (en) * | 1992-03-31 | 1994-01-25 | Michel Fattouche | Method and apparatus for multiple access between transceivers in wireless communications using OFDM spread spectrum |
US5337313A (en) * | 1992-11-12 | 1994-08-09 | Motorola, Inc. | Method and apparatus for preserving packet squencing in a packet transmission system |
EP0615198A1 (en) | 1993-03-08 | 1994-09-14 | International Business Machines Corporation | Method for processing, handling, and presenting data pertaining to an enterprise in the form of a data model |
US5781550A (en) | 1996-02-02 | 1998-07-14 | Digital Equipment Corporation | Transparent and secure network gateway |
DE69708281T2 (en) | 1996-04-24 | 2002-05-16 | Nortel Networks Ltd | INTERNET PROTOCOL-FILTER |
JPH10289479A (en) * | 1997-04-10 | 1998-10-27 | Tdk Corp | Optical recording medium |
US6273622B1 (en) * | 1997-04-15 | 2001-08-14 | Flash Networks, Ltd. | Data communication protocol for maximizing the performance of IP communication links |
US6473406B1 (en) | 1997-07-31 | 2002-10-29 | Cisco Technology, Inc. | Method and apparatus for transparently proxying a connection |
US6490620B1 (en) | 1997-09-26 | 2002-12-03 | Worldcom, Inc. | Integrated proxy interface for web based broadband telecommunications management |
US6058431A (en) * | 1998-04-23 | 2000-05-02 | Lucent Technologies Remote Access Business Unit | System and method for network address translation as an external service in the access server of a service provider |
US6175548B1 (en) * | 1998-06-29 | 2001-01-16 | Sony Corporation | Optical recording medium and optical recording and reproducing apparatus |
US6360265B1 (en) | 1998-07-08 | 2002-03-19 | Lucent Technologies Inc. | Arrangement of delivering internet protocol datagrams for multimedia services to the same server |
US6628629B1 (en) * | 1998-07-10 | 2003-09-30 | Malibu Networks | Reservation based prioritization method for wireless transmission of latency and jitter sensitive IP-flows in a wireless point to multi-point transmission system |
US6401128B1 (en) | 1998-08-07 | 2002-06-04 | Brocade Communiations Systems, Inc. | System and method for sending and receiving frames between a public device and a private device |
US6438597B1 (en) | 1998-08-17 | 2002-08-20 | Hewlett-Packard Company | Method and system for managing accesses to a data service system that supports persistent connections |
JP2000132855A (en) * | 1998-10-27 | 2000-05-12 | Matsushita Electric Ind Co Ltd | Optical information recording and reproducing device |
US6470020B1 (en) | 1998-11-03 | 2002-10-22 | Nortel Networks Limited | Integration of stimulus signalling protocol communication systems and message protocol communication systems |
US6182149B1 (en) * | 1999-01-11 | 2001-01-30 | 3Com Corporation | System for managing dynamic processing resources in a network |
NO995081D0 (en) * | 1999-10-18 | 1999-10-18 | Ericsson Telefon Ab L M | Device for H.323 proxy |
US7120692B2 (en) | 1999-12-02 | 2006-10-10 | Senvid, Inc. | Access and control system for network-enabled devices |
US6677104B2 (en) * | 2000-02-10 | 2004-01-13 | Tdk Corporation | Optical information medium |
US6631417B1 (en) | 2000-03-29 | 2003-10-07 | Iona Technologies Plc | Methods and apparatus for securing access to a computer |
US7814208B2 (en) | 2000-04-11 | 2010-10-12 | Science Applications International Corporation | System and method for projecting content beyond firewalls |
US6631416B2 (en) | 2000-04-12 | 2003-10-07 | Openreach Inc. | Methods and systems for enabling a tunnel between two computers on a network |
US6996628B2 (en) | 2000-04-12 | 2006-02-07 | Corente, Inc. | Methods and systems for managing virtual addresses for virtual networks |
GB2365256A (en) | 2000-07-28 | 2002-02-13 | Ridgeway Systems & Software Lt | Audio-video telephony with port address translation |
US20020042832A1 (en) | 2000-08-14 | 2002-04-11 | Fallentine Mark D. | System and method for interoperability of H.323 video conferences with network address translation |
US7047561B1 (en) * | 2000-09-28 | 2006-05-16 | Nortel Networks Limited | Firewall for real-time internet applications |
GB2369746A (en) | 2000-11-30 | 2002-06-05 | Ridgeway Systems & Software Lt | Communications system with network address translation |
KR100360274B1 (en) | 2000-12-30 | 2002-11-09 | 엘지전자 주식회사 | Method for supporting general ip telephone system in nat based private network |
US7155518B2 (en) | 2001-01-08 | 2006-12-26 | Interactive People Unplugged Ab | Extranet workgroup formation across multiple mobile virtual private networks |
US7631349B2 (en) | 2001-01-11 | 2009-12-08 | Digi International Inc. | Method and apparatus for firewall traversal |
AU2002234258A1 (en) | 2001-01-22 | 2002-07-30 | Sun Microsystems, Inc. | Peer-to-peer network computing platform |
US6928082B2 (en) | 2001-03-28 | 2005-08-09 | Innomedia Pte Ltd | System and method for determining a connectionless communication path for communicating audio data through an address and port translation device |
US6993012B2 (en) | 2001-02-20 | 2006-01-31 | Innomedia Pte, Ltd | Method for communicating audio data in a packet switched network |
US7173928B2 (en) | 2001-02-20 | 2007-02-06 | Innomedia Pte, Ltd | System and method for establishing channels for a real time streaming media communication system |
US7050422B2 (en) | 2001-02-20 | 2006-05-23 | Innomedia Pte, Ltd. | System and method for providing real time connectionless communication of media data through a firewall |
US20020138627A1 (en) | 2001-03-26 | 2002-09-26 | Frantzen Michael T. | Apparatus and method for managing persistent network connections |
US8363647B2 (en) | 2001-04-03 | 2013-01-29 | Voxpath Networks, Inc. | System and method for configuring an IP telephony device |
US7068647B2 (en) | 2001-04-03 | 2006-06-27 | Voxpath Networks, Inc. | System and method for routing IP packets |
US7272650B2 (en) | 2001-04-17 | 2007-09-18 | Intel Corporation | Communication protocols operable through network address translation (NAT) type devices |
US20030009561A1 (en) | 2001-06-14 | 2003-01-09 | Sollee Patrick N. | Providing telephony services to terminals behind a firewall and /or network address translator |
US20030033418A1 (en) | 2001-07-19 | 2003-02-13 | Young Bruce Fitzgerald | Method of implementing and configuring an MGCP application layer gateway |
WO2003019870A2 (en) | 2001-08-24 | 2003-03-06 | Peribit Networks, Inc. | Dynamic multi-point meshed overlay network |
US7321925B2 (en) | 2001-09-18 | 2008-01-22 | Intel Corporation | Load balancing and fault tolerance for server-based software applications |
US7302700B2 (en) | 2001-09-28 | 2007-11-27 | Juniper Networks, Inc. | Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device |
US7274684B2 (en) | 2001-10-10 | 2007-09-25 | Bruce Fitzgerald Young | Method and system for implementing and managing a multimedia access network device |
US20030084162A1 (en) | 2001-10-31 | 2003-05-01 | Johnson Bruce L. | Managing peer-to-peer access to a device behind a firewall |
US7379465B2 (en) | 2001-12-07 | 2008-05-27 | Nortel Networks Limited | Tunneling scheme optimized for use in virtual private networks |
US7013342B2 (en) | 2001-12-10 | 2006-03-14 | Packeteer, Inc. | Dynamic tunnel probing in a communications network |
US6860616B2 (en) * | 2001-12-14 | 2005-03-01 | Iq Hong Kong, Ltd. | Ultraviolet light writing system |
US7227864B2 (en) | 2001-12-17 | 2007-06-05 | Microsoft Corporation | Methods and systems for establishing communications through firewalls and network address translators |
US7152105B2 (en) | 2002-01-15 | 2006-12-19 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US7257630B2 (en) | 2002-01-15 | 2007-08-14 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US7664845B2 (en) | 2002-01-15 | 2010-02-16 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US20030140142A1 (en) | 2002-01-18 | 2003-07-24 | David Marples | Initiating connections through firewalls and network address translators |
US7133368B2 (en) | 2002-02-01 | 2006-11-07 | Microsoft Corporation | Peer-to-peer method of quality of service (QoS) probing and analysis and infrastructure employing same |
US20030154306A1 (en) | 2002-02-11 | 2003-08-14 | Perry Stephen Hastings | System and method to proxy inbound connections to privately addressed hosts |
WO2003083692A1 (en) | 2002-03-27 | 2003-10-09 | First Virtual Communications | System and method for traversing firewalls with protocol communications |
US7243141B2 (en) | 2002-05-13 | 2007-07-10 | Sony Computer Entertainment America, Inc. | Network configuration evaluation |
US7676579B2 (en) | 2002-05-13 | 2010-03-09 | Sony Computer Entertainment America Inc. | Peer to peer network communication |
WO2003105010A1 (en) | 2002-06-06 | 2003-12-18 | Neoteris, Inc. | Method and system for providing secure access to private networks |
US6674758B2 (en) | 2002-06-06 | 2004-01-06 | Clinton Watson | Mechanism for implementing voice over IP telephony behind network firewalls |
US7143188B2 (en) | 2002-06-13 | 2006-11-28 | Nvidia Corporation | Method and apparatus for network address translation integration with internet protocol security |
US20030233471A1 (en) | 2002-06-17 | 2003-12-18 | Julian Mitchell | Establishing a call in a packet-based communications network |
US7277963B2 (en) | 2002-06-26 | 2007-10-02 | Sandvine Incorporated | TCP proxy providing application layer modifications |
-
2000
- 2000-11-30 GB GB0029179A patent/GB2369746A/en not_active Withdrawn
-
2001
- 2001-11-29 EP EP01999096A patent/EP1338127B1/en not_active Expired - Lifetime
- 2001-11-29 EP EP04078221A patent/EP1511271A3/en not_active Withdrawn
- 2001-11-29 AU AU2002218404A patent/AU2002218404B2/en not_active Ceased
- 2001-11-29 AU AU1840402A patent/AU1840402A/en active Pending
- 2001-11-29 JP JP2002546385A patent/JP3757399B2/en not_active Expired - Fee Related
- 2001-11-29 US US10/432,468 patent/US7512708B2/en not_active Expired - Lifetime
- 2001-11-29 AT AT01999096T patent/ATE301362T1/en not_active IP Right Cessation
- 2001-11-29 CN CN01817225.3A patent/CN1262095C/en not_active Expired - Fee Related
- 2001-11-29 WO PCT/GB2001/005253 patent/WO2002045373A2/en active IP Right Grant
- 2001-11-29 CA CA2422764A patent/CA2422764C/en not_active Expired - Fee Related
- 2001-11-29 DE DE60112469T patent/DE60112469T2/en not_active Expired - Lifetime
-
2003
- 2003-09-30 HK HK03107052A patent/HK1055364A1/en not_active IP Right Cessation
-
2009
- 2009-01-05 US US12/348,648 patent/US8291116B2/en not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
EP1511271A2 (en) | 2005-03-02 |
EP1338127A2 (en) | 2003-08-27 |
EP1511271A3 (en) | 2012-04-11 |
HK1055364A1 (en) | 2004-01-02 |
WO2002045373A3 (en) | 2002-10-17 |
CA2422764A1 (en) | 2002-06-06 |
CA2422764C (en) | 2011-01-04 |
US20040028035A1 (en) | 2004-02-12 |
ATE301362T1 (en) | 2005-08-15 |
DE60112469T2 (en) | 2006-06-14 |
GB0029179D0 (en) | 2001-01-17 |
GB2369746A (en) | 2002-06-05 |
WO2002045373A2 (en) | 2002-06-06 |
JP2004515164A (en) | 2004-05-20 |
AU2002218404B2 (en) | 2006-09-07 |
US20090116487A1 (en) | 2009-05-07 |
US8291116B2 (en) | 2012-10-16 |
JP3757399B2 (en) | 2006-03-22 |
CN1470119A (en) | 2004-01-21 |
DE60112469D1 (en) | 2005-09-08 |
US7512708B2 (en) | 2009-03-31 |
AU1840402A (en) | 2002-06-11 |
EP1338127B1 (en) | 2005-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1262095C (en) | Communications system | |
EP1305927B1 (en) | Audio-video telephony with firewalls and network address translation | |
US8244876B2 (en) | Providing telephony services to terminals behind a firewall and/or a network address translator | |
US8204066B2 (en) | Method for predicting a port number of a NAT equipment based on results of inquiring the STUN server twice | |
US7773580B2 (en) | Apparatus and method for voice processing of voice over internet protocol (VoIP) | |
AU2002218404A1 (en) | Communications system | |
US20070217408A1 (en) | Address Resolution Device, Address Resolution Method, And Communication System Including The Same | |
CN101030865A (en) | Network address conversion and/or firewall spanning platform, system and method | |
EP2026528B1 (en) | Integrated internet telephony system and signaling method thereof | |
EP1687957B1 (en) | Network-network interface for inter-operator service | |
CN1794698A (en) | System of soft exchange network passing through firewall based on ALG+MP and its method | |
Cook | Design of a Voice-Aware Firewall Architecture | |
Gatch | IP PBX/Service Provider Interoperability | |
CONSTANTINESCU et al. | Session borders controllers: next step in full deployment of voice over IP services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C56 | Change in the name or address of the patentee |
Owner name: TANDERBERG TELECOMMUNICATION ENGLISH CO., LTD. Free format text: FORMER NAME OR ADDRESS: RIDGEWAY SYSTEMS AND SOFTWARE LTD. |
|
CP01 | Change in the name or title of a patent holder |
Address after: UK Patentee after: Tandeboge Telecom UK Limited Address before: UK Patentee before: Ridgeway Systems and Software Ltd. |
|
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060628 Termination date: 20201129 |